> users are generally pretty poor at managing software

This is an assertion which begs many questions.

Who are these users? What do you mean by "generally"? What do you mean by "poor"? What do you mean with "managing software"? Which software specifically? Why is "managing software" hard? What are specific case where this might be true? Is this statement falsifiable?

For instance, how does age, social background, education level, language, culture,... factor into the experience of "managing software"? Sure, the problem can't be software itself in it's entirety?

See, statements like these tend to break down once you start digging into the murky nuances and specificities of reality.

Moreover, accepting them at face value tends to reinforce a belief which isn't based on fact: that the users of digital technology can't manage their devices, and therefore shouldn't be confronted with managing their devices.

... which is then translated and implemented in interfaces and systems that simply lack the functionality that gives users fine grained control over what is or isn't installed.

Over a longer term, this promotes a form of "lazy thinking" in which users simply don't question what happens under the hood of their devices. Sure, people are aware of the many issues concerning privacy, personal data, security and so on. But ask them how they could make a meaningful change, and the answers will be limited to what's possible within the limitations of what the device offers.

A great example of this would be people using a post-it to cover the camera in the laptop bezel.

People don't know what happens inside their machine, they don't trust what happens on their machine, and there's no meaningful possibility to look under the hood and come to a proper understanding... so they revert to the next sensible thing they have: taping a post-it over the lens.

The post-it doesn't solve the underlying issue - a lack of understanding which was cultivated - but it does solve a particular symptom: the inability to control what that camera does.

It really doesn't beg those questions - we have 25+ years of data backing it up. People across the board are bad about running updates. I'm guessing you missed the mid-late 90s when things like buffer overflows started to be exploited and firewalls became necessities because even the folks whose job it was to run updates of vulnerable systems with public IPs on the Internet... weren't. Then came the early 2000s and all the worms running amok because people still weren't running their updates. Then the collective web development industry screamed in pain because things like Windows XP and IE6 just would not die.

The collective Internet has been through this before and (mostly) learned its lesson. People don't run updates when it's not shoved down their throat. And it's not a small segment of people. And it hasn't changed. Look at how many hacks still happen because of servers and apps that aren't patched for known vulnerabilities. Or the prevalence of cryptojacking which is still largely based on known vulnerabilities that already have patches available - indicating it's successful enough that people keep doing it.

Most users don't question what happens under the hood of their devices because they don't care. They have other things to care about that actually mean something to them besides the nuances of the day to day maintenance of their devices. There does not exist an effective way of making people care about things like this, let alone educating the masses on how to appropriately choose which commit hash of their favorite browser extension they should really be on. How many security newsletters do you really expect the average person to be subscribed to in order to make informed decisions about these things?

Hell my "Update" notification on Chrome is red this morning and I'm at least in the top 10% of security-conscious folks in the world (it's really not a high bar).

I'm not saying automatic updates are without their problems - I'm in a thread on HN about that exact thing. But trying to claim it's somehow about sociodemographic issues and the answer is solving that and going back to selectively running updates is just ignoring the lessons of the past.

I, and everyone else I know, do not install updates to our software in a timely manner unless we actively need a feature.

Users are "I, and everyone else I know".

Generally is "unless we need a feature".

Poor is "do not install updates to our software".

Managing software is "install updates".

Software is any software we use that provides updates, which is all of it.

Managing software is hard because doing it manually would require checking the website of every piece of software you've ever downloaded at regular intervals, where regular could be as frequently as minutes for security-critical tools.

If I ever downgrade my software and lock it to a specific version, I am now managing it manually, and all of the above applies.

I honestly don't think there are unquestioned assumptions here, because the task of keeping security-critical software up to date manually is nearly impossible for any user.

I honestly am not at all sure what you mean by much of that.

Demographics don't change the fact that if you don't automatically update software, many users simply won't. That's bad.

... in the usual pedantry of HN your use of "poor" was interpreted to mean socio-economic, rather than... "just bad at something"...

I don’t see how one could parse ”On the other hand users are generally pretty poor at managing software themselves” and assign that interpretation to “poor”.

I agree, but the user who responded to me seemed to talk about demographics as if I had meant "poor" as in not having much money.

The internet is global, sometimes I think things get lost in translation.

That's a reductionist reading of my comment.

I'm challenging your initial assertion that "people are poor at managing software". That's not enough of an explanation to support the second part of your claim:

> and as long as it works they'll happily and probably ignorantly run something that is not secure already and needs an update.

Are they poor at managing software because they are ignorantly running insecure software? Or are they ignorantly running insecure software because they are poor at managing software?

The replies so far take the entire context out of the picture and reframes the issue to "Users use their devices the 'wrong way'." and this can only be solved through technological advances.

I'm here questioning and challenging those assertions.

Oh I see. That's, weird, but thanks for letting me know.

That would cover users who are poor at managing software. Being able to turn them off would require someone to be good at managing software. Why remove control from those users?

I don't want to be saying that we should remove control, but I actually do think it's reasonable to. Even on a single-user device, security issues are not isolated. An infected machine will likely be used for things like spam and DDOS.

If you make something available for people to toggle that improves their experience, people are going to take advantage of that even if they don't really grasp or decide to ignore the consequences. In the case of updates the improved experience is not being nagged or forced to restart an application or the whole OS. And unfortunately the only way to really gatekeep that control to people who know what they're doing is giving it enterprise pricing.